| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 1.6.4 |
| Request #10729 | session_regenerate_id() should be called every time start() is called | ||
|---|---|---|---|
| Submitted: | 2007-04-14 22:16 UTC | ||
| From: | repher | Assigned: | aashley |
| Status: | Closed | Package: | Auth (version 1.5.1) |
| PHP Version: | 5.2.0 | OS: | Linux/Debian |
| Roadmaps: | 1.5.2 | ||
[2007-04-14 22:16 UTC] repher
(Bernhard Picher)
Description:
------------
The session id should change every time the start() method is called to avoid session hijacking.
Test script:
---------------
function start()
{
$this->log('Auth::start() called.', AUTH_LOG_DEBUG);
--> session_regenerate_id(true);
$this->assignData();
if (!$this->checkAuth() && $this->allowLogin) {
$this->login();
}
}
Comments
[2007-04-15 10:52 UTC] aashley
(Adam Ashley)
patch as submitted not going to be applied. Regenerating the session id causes problems with browser back and forward in some applications, changing this now would be a BC break.
Maybe doable as a configurable option.
[2007-04-15 11:20 UTC] repher
(Bernhard)
Ok. I agree. I uploaded a patch adding this configuriation option.
[2007-06-12 03:12 UTC] aashley
(Adam Ashley)
This bug has been fixed in CVS.
If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET).
If this was a problem with the pear.php.net website, the change should be live shortly.
Otherwise, the fix will appear in the package's next release.
Thank you for the report and for helping us make PEAR better.
Also added code so that on initial login if regenerate session id is enabled session_regenerate_id() is called only once not twice as original patch would do.
Renamed option to regenerateSessionId